mount.ceph reads secretfile in and passes mount the actual secret. It becomes <hidden> in /proc/mounts, but /etc/mtab is created by mount and isn't cleaned up by the kernel, so the key remains there visible for anyone to see in its full glory. Oops ;-)

Thanks! It seems that this fix missed ceph-0.26, even though mount.ceph (that presumably was the bit that needed fixing) is part of it. Is there any particular reason why this is marked for Linux kernel client rather than... whatever component name the mount.ceph program in ceph gets? Is it because the fix requires kernel interface changes?